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COVID vaccine certificates can be forged within 
10 minutes due to ‘obvious’ security flaw 


ABC Science / By technology reporter james Purtill 
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IVID-18 can use a digital Certificate as proof of vaccination 


AJsitralans TULLY vaccinated against CO 


Near-pertect forgeries of the federal government's COVID-19 vaccine digital 
certificate can be made in 10 minutes using free software, a member of the public 


has discovered. 


Richard Nelson, a software engineer in 
Sydney, has found an ‘obvious’ security 
flaw in the Express Plus Medicare app 
allowing him to make vaccine certificates 
with any name and date of birth 

and featuring the background animations 
meant to prevent forgery. 


The Prime Minister has previously said the 
certificates are a ‘credible and effective’ 
way for states to administer exemptions 
from aspects of lockdowns. 


The discovery of the flaw could put a hold 
on state and federal governments 
allowing the vaccinated more freedoms. 


Mr Nelson found the security hole in the 


current system (which was launched more 


than two months ago) while mucking 
around with the Express Plus Medicare 
app one evening last week. 


‘It's a very basic flaw. | thought 
surely there would be some kind 
of mitigation to stop this kind of 

attack, but there wasn't.’ 


Key points: 


E A flaw in the Medicare app means 
Australia's COVID-19 vaccine 
digital certificates can be forged 


E A basic security audit would have 
identified the vulnerability 


© Without confidence in 
certificates, governments may 
delay giving the vaccinated more 
freedoms 


This should not be anywhere near 
this easy to fool (I'm not vaccinated.. 
yet) pic.twitter.com/faTQws7XhxX 


— Richard Nelson (@wabzqem) 
August 18, 2021 
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Uther security experts have contrmed it's the kind of obvious vulnerability that 
would have been picked up in a basic security audit of the app. 


To demonstrate how easy it is to forge certificates, Mr Nelson took 10 minutes 
to make a counterfeit certificate with the name of this reporter (who hasn't yet had 
all their shots). 
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YOUTUBE: A counterfeit COVID-19 vaccine certificate 


‘| don't think it's a good idea to get it out there among the antivax crowd,” he said. 


‘People who don't have a valid certificate can fairly easily present one — the 
implications of that are left up to the imagination.’ 


Will it be fixed? 


After discovering the flaw, Mr Nelson sent 
detailed instructions to the government, How a vaccine passport could 
but has not yet heard back. work 


In response to questions from the ABC, 

a spokesman for Employment Minister 
Stuart Robert, who has ministerial 
responsibility for data and digital policy, 
said the government has ‘iteratively 
updated proof of vaccination certificates’. 


‘The government will continue to When borders reopen and international travel 


iteratively update the proof of vaccination 
certificates ... including bolstering 
security measures," he said. 


resumes, countries will require proof that you've 


been vaccinated. Here's how that might work. 


Readmore — 
From the response, it wasn't clear if the 
government would be patching the 
vulnerability (which would require an update of the Medicare app). 


Basic security audit would have found flaw 


The security vulnerability is different to the one identified by Senator Rex Patrick 
earlier this month. 


The senator used “a few graphics tools" to make a forgery of the PDF export of the 
vaccine certificate. 
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Senator Rex Patrick has forged his own COVID-19 vaccination certificate in an effort to expose flaws in its Queensland 


design. (AGC News Moa tthew D orani 


This only works on the PDF, as the certificate within the app itself is protected 
against counterfeiting by an animated tick, a live clock and a shimmering coat of 
arms (similar to the type used for digital drivers' licences}. 


As can be seen in the video above, Mr Nelson's more sophisticated forgery includes 
these anti-fraud features. 


Mr Nelson said the flaw would have been "absolutely" raised in a security audit. 


"Or, they didn't do a security audit," he said. 


This isn't the first time the experienced software developer has poked holes in 
government IT systems. 


He was one of the tech community that found important vulnerabilities in the 
COVIDSate app last year, including the fact that the tracking app did not work 
properly on a locked iPhone. 


Privacy expert Vanessa Teague, another prominent member of the tech community, 
said the Medicare app flaw was ‘unsurprising after experiencing COVIDSafe’. 


‘Oh yeah, wow” she said. 


"It's very easy to fix that flaw. It would take five minutes." 


‘Certificates need QR-code digital 
signatures’ 
The certificates also have a bigger security problem, she said. 


Other designs, such as that used by the EU, have a digital signature in the form of a 
QR code that can be verified as a defence against fraud. 


Such a system would be much harder to trick. 


‘They still have to do something a bit like what the EU has done," Ms Teague said. 


"There has to be some cryptographic way of verifying that the 
information is correct.” 





The EU vaccine certificate is used for international travel as well as entry to cafes, museums and other 


public places. (Getty Artur Widak) 


The Prime Minister has flagged the vaccine certificate will get an overhaul in 
October, though it's not clear if the new version will only be used for international 
travel and work alongside the existing vaccine certificates. 


In early July, the Australian Digital Health Agency, a statutory body responsible for 
implementing various digital health initiatives, issued a Request for Tender for 

a smartphone app for storing digital vaccination certificates, along with the results 
of COVID-5 tests. 


The proposed mobile app will be ready "prior to December 2021" and feature 


‘multiple authenticity and anti-fraud measures’. 


The spokesman for Mr Robert did not respond to questions about whether the 


government was working on a new type of vaccine certificate. 
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